There is no description at this point.
rule win_quickheal_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.quickheal." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickheal" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bcd e8???????? 85c0 0f84af050000 8d9424b40d0000 } // n = 5, score = 100 // 8bcd | mov ecx, ebp // e8???????? | // 85c0 | test eax, eax // 0f84af050000 | je 0x5b5 // 8d9424b40d0000 | lea edx, [esp + 0xdb4] $sequence_1 = { 8d74247c f2ae f7d1 49 8bfa c1e707 8bc1 } // n = 7, score = 100 // 8d74247c | lea esi, [esp + 0x7c] // f2ae | repne scasb al, byte ptr es:[edi] // f7d1 | not ecx // 49 | dec ecx // 8bfa | mov edi, edx // c1e707 | shl edi, 7 // 8bc1 | mov eax, ecx $sequence_2 = { 50 e8???????? 8bd8 c1ef10 c1e302 57 } // n = 6, score = 100 // 50 | push eax // e8???????? | // 8bd8 | mov ebx, eax // c1ef10 | shr edi, 0x10 // c1e302 | shl ebx, 2 // 57 | push edi $sequence_3 = { f3ab 83c404 66ab 8b4c240c 8d442414 50 } // n = 6, score = 100 // f3ab | rep stosd dword ptr es:[edi], eax // 83c404 | add esp, 4 // 66ab | stosw word ptr es:[edi], ax // 8b4c240c | mov ecx, dword ptr [esp + 0xc] // 8d442414 | lea eax, [esp + 0x14] // 50 | push eax $sequence_4 = { 8bd6 c1ea1d c1e603 0bd6 8bf1 0bf2 23ea } // n = 7, score = 100 // 8bd6 | mov edx, esi // c1ea1d | shr edx, 0x1d // c1e603 | shl esi, 3 // 0bd6 | or edx, esi // 8bf1 | mov esi, ecx // 0bf2 | or esi, edx // 23ea | and ebp, edx $sequence_5 = { be???????? 8d7c2420 8bd0 f3a5 c1ea02 83e23f } // n = 6, score = 100 // be???????? | // 8d7c2420 | lea edi, [esp + 0x20] // 8bd0 | mov edx, eax // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // c1ea02 | shr edx, 2 // 83e23f | and edx, 0x3f $sequence_6 = { eb33 8d542410 6a10 52 8bce 66c744241c0003 e8???????? } // n = 7, score = 100 // eb33 | jmp 0x35 // 8d542410 | lea edx, [esp + 0x10] // 6a10 | push 0x10 // 52 | push edx // 8bce | mov ecx, esi // 66c744241c0003 | mov word ptr [esp + 0x1c], 0x300 // e8???????? | $sequence_7 = { 8d4c241c 68a3090000 51 e8???????? 8bf0 83c41c } // n = 6, score = 100 // 8d4c241c | lea ecx, [esp + 0x1c] // 68a3090000 | push 0x9a3 // 51 | push ecx // e8???????? | // 8bf0 | mov esi, eax // 83c41c | add esp, 0x1c $sequence_8 = { 3b7c2450 729c 53 e8???????? 83c404 8d4c2410 6809380000 } // n = 7, score = 100 // 3b7c2450 | cmp edi, dword ptr [esp + 0x50] // 729c | jb 0xffffff9e // 53 | push ebx // e8???????? | // 83c404 | add esp, 4 // 8d4c2410 | lea ecx, [esp + 0x10] // 6809380000 | push 0x3809 $sequence_9 = { 0bcb 8bde 33d8 33d9 8b6c2444 } // n = 5, score = 100 // 0bcb | or ecx, ebx // 8bde | mov ebx, esi // 33d8 | xor ebx, eax // 33d9 | xor ebx, ecx // 8b6c2444 | mov ebp, dword ptr [esp + 0x44] condition: 7 of them and filesize < 553984 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY